receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: aruba_switch
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide provides instructions on how to collect and ingest Aruba switch syslog messages into Google SecOps using the Bindplane Agent.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent on a Windows or Linux host to receive syslog data from the Aruba switch.\u003c/p\u003e\n"],["\u003cp\u003eYou must obtain a Google SecOps ingestion authentication file and customer ID to configure the Bindplane Agent for data transfer.\u003c/p\u003e\n"],["\u003cp\u003eThe Aruba switch must be configured to send syslog messages to the Bindplane Agent's IP address and port, which can be done through the command-line interface (CLI) or the web interface.\u003c/p\u003e\n"],["\u003cp\u003eThe parser extracts fields from the Aruba switch syslog messages and maps them to the Unified Data Model (UDM), assigning fields such as hostname, application, and description to their respective UDM counterparts.\u003c/p\u003e\n"]]],[],null,["# Collect Aruba switch logs\n=========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from Aruba switch syslog messages using grok patterns and maps them to the UDM model. It handles various fields, including timestamps, hostnames, application names, process IDs, event IDs, and descriptions, populating the relevant UDM fields. The event type is set based on the presence of principal information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have a Windows 2016 or later or a Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you privileged access to the Aruba switch.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: aruba_switch\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart the Bindplane Agent to apply the changes:\n\n sudo systemctl restart bindplane\n\nConfigure Syslog on the Aruba Switch\n------------------------------------\n\n1. Connect to the **Aruba** switch through the **Console**:\n\n ssh admin@\u003cswitch-ip\u003e\n\n2. Connect to the **Aruba** switch through a **Web Interface**:\n\n - Go to the Aruba switch web GUI.\n - Authenticate with the switch's administrator credentials.\n3. Enable **Syslog** using the **CLI** configuration:\n\n - Enter global configuration mode:\n\n configure terminal\n\n - Specify the external syslog server:\n\n logging \u003cbindplane-ip\u003e:\u003cbindplane-port\u003e\n\n - Replace `\u003cbindplane-ip\u003e` and `\u003cbindplane-port\u003e` with the address of your Bindplane agent.\n\n4. Optional: Set the logging **severity level**:\n\n logging severity \u003clevel\u003e\n\n | **Note:** Severity levels range from 0 (emergency) to 7 (debug).\n5. Optional: Add a **custom** log source **identifier** (tag):\n\n logging facility local5\n\n6. Save the configuration:\n\n write memory\n\n7. Enable **Syslog** using Web Interface Configuration:\n\n - Log in to the Aruba switch web interface.\n - Go to **System** \\\u003e **Logs** \\\u003e **Syslog**.\n - Add syslog server parameters:\n - Enter the **Bindplane IP** address.\n - Enter the **Bindplane Port**.\n - Set the **Severity Level** to control the verbosity of logs.\n - Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
